Joomla brute force attacks

I've noticed an increase in Joomla brute force attacks. I haven't been able to find a mod_security rule that stops these and is compatible with Litespeed. The few rules I've found all need to scan the response body.

Any ideas? It would be fantastic if Litespeed could support this natively.

Yes, I adapted that one to fit my needs. I didn't like the 3 in 10 seconds and prefered 15 in 3 minutes.

Adding just the Jooomla and the Wordpress rule reduced the load on our server by nearly half and hasn't noticibly reduced the response times. I'm quite impressed by litespeed's implementation of mod security.

Ask and ye shall receive: Response body scanning is going to require the API we're working on in OpenLiteSpeed 1.3 right now. Because it's still in development (and on OpenLiteSpeed) it's going to be some time before we'll be able to support response body scanning on Enterprise.

I don't suppose we could make use of args ? I haven't checked what joomla's variables are named or even if they always have the same name, but I'm thinking of something along the lines of checking if ARGS.password and ARGS.username are set ?

I had issues getting the rules to detect anything, that's when I noticed that the following line in modsec2.conf :

LoadFile /opt/lua/lib/liblua.so

was commented.

I uncommented it and restarted litespeed. It imediatly detected the ongoing brute force for wordpress that I had noticed but just once, almost as if detecting the brute force once made something crash in litespeed.

I'm waiting for an answer from comodo about this, but could it be a bug in the litespeed modsecurity engine ?